Researcher Oren Hafif uncovered a new attack vector where the malicious file is downloaded without actually being uploaded anywhere.

Oren presented the new Web attack vector at the Black Hat Europe in Amsterdam.This attack injects commands (Command Injection) into a URL that will be injected in a given through a JSON file or JSONP response. What’s needed is an API that accepts user controlled input and reflects it into the response, similar to XSS. The File downloaded isn’t hosted on the targeted website, but instead it’s reflected from it. It appears to the user that the downloaded file is from a trusted source (google.com) but in fact is not hosted there.

When the victims click on the crafted link, the Web browser sends a request to the vulnerable website, which in turn sends back a response that’s saved by the browser on the victim’s computer as a file. The attacker can set the name of the malicious file in the URL that he sends to the victim.

For example, since Google Chrome if you click on a link to a URL with .bat Content-Type and lists it as an attachment, then the will file be downloaded automatically to the operating system. This happens in many kinds of extensions and in almost all browsers.

Reflected File Download Demo: Gmail : Zero X Dude

How

Attacker enforces a BAT file in the operating system to execute and carry out RFD. A BAT file is needed to be generated from parameters that can be injected into a JSON file to a trusted location,

The BAT file takes advantage of the OR operator, || in the Windows interface commands giving it 2 commands.

The FIRST command gives FALSE so the SECOND command runs, and the calculator runs. If the FIRST command is TRUE then the SECOND command does not run.

Similar with JSON, command is injected directly and the command file is executed using a similar operator ||. If the FIRST command fails then this causes the SECOND command to execute.